Hey all…topic says it.  So I have my sguild starting with:

 

-a /opt/etc/snort/sguild/autocat.conf

 

That file contains:

none||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%CINS||16

 

From my .fast file:

12:00:32  [1:2403332:645] ET CINS Active Threat Intelligence Poor Reputation IP TCP group 17 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 125.64.92.105:6000 -> x.x.x.x:1433

 

Yet the sguil client shows this alert.  I also don’t see anything in the Auto Cats Standard Query.  Any way to troubleshoot why it’s not seeing these?  Thank you.

 

James